Encrypting globally unique identifiers at communication boundaries

ABSTRACT

Systems, methods, and computer-readable storage media for encrypting communications containing or referencing globally unique identifiers to prevent unauthorized access to content item data, such as through spoofing or ancillary information leakage. An example system configured to practice the method identifies a communication, between a storage environment and a client device, associated with a globally unique identifier for a content item stored in at least one of the storage environment and the client device. The content item can be addressable via a globally unique identifier. Prior to transmitting the communication, the system can encrypt a portion of the communication containing the globally unique identifier using an encryption key based on a client-specific key and a secret version-specific key to yield an encrypted communication, and transmit the encrypted communication to the client device.

CROSS REFERENCE TO RELATED APPLICATIONS

This application claims the benefit of priority under 35 U.S.C. §119(e)to U.S. Provisional Patent Application No. 61/746,408, filed on Dec. 27,2012, which is incorporated herein by reference in its entirety.

TECHNICAL FIELD

The present technology pertains to Globally Unique Identifiers (GUIDs)for content items, and more specifically pertains to GUIDs forindividual content items in a multi-user network-based contentmanagement environment.

BACKGROUND

A multi-user network-based content management environment (storageenvironment) allows users to upload and store content items in a datastorage medium associated with an account, which the users may thenaccess from virtually any network-enabled computing device. However, asthe number of users and content items increases in such a storageenvironment, the complexity and quantity of data quickly scale andbecome difficult to manage. One way to manage these content items is bystoring them in a particular directory structure that reflects contentitem relationships and access permissions. However, this approach canintroduce problems or limitations when implementing sharing between useraccounts or when attempting to increase storage efficiency.

SUMMARY

Particular features and advantages of the disclosure will be set forthin the description which follows, and in part will be obvious from thedescription, or can be learned by practice of the herein disclosedprinciples. The features and advantages of the disclosure can berealized and obtained by means of the instruments and combinationsparticularly pointed out hereinafter. These and other features of thedisclosure will become more fully apparent from the followingdescription and accompanying drawings, or can be learned by the practiceof the principles set forth herein.

The approaches set forth herein can be used to assign every content itemin a multi-user network-based content management environment (storageenvironment) a Globally Unique Identifier (GUID), instead of relyingsolely on content item paths and/or content item names in a hierarchicaldirectory structure. The storage environment can include one or morestorage devices, one or more servers, network infrastructure, othercomputing devices, databases, and so forth. FIG. 9, discussed below,provides a more detailed view of an example storage environment. Forexample, the content management environment can store content items invirtually any data storage location or locations, and can maintain aGUID for each content item to uniquely identify that content itemregardless of where it is stored. Typically the storage environmentassigns a GUID to a content item at a content item creation event, andthe storage environment maintains that GUID association with the contentitem across user-level edit operations and user-level move operations.However the server can assign a new GUID for a user-level content itemcopy operation or for other operations that result in a new contentitem. When each content item in the space is assigned a GUID, thestorage environment as well as third-party developers can easily referto a specific content item and all of its revisions without requiringknowledge of or dependency on the location of the content item in thecontent item system. With GUIDs, a collection of content items in a useraccount at the storage environment can be represented as a plain set ofcontent item objects, regardless of their actual location. Content itempaths, as represented within the user account, are represented or storedas just another attribute of a content item object, along with otherattributes such as time of creation, time of last modification, authoror owner, or content item size. Thus, GUIDs allow for building neworganizational structures outside of the content item system. Forexample, GUIDs can be used to provide a way for users to participate incomment streams for a content item, photo albums, playlists, and contentitems or folders that are shared, such as via a public or private URL,that aren't sensitive to or dependent on a particular content itemsystem location. Further, GUIDs allow for a richer set of functionalityfor document editing and sharing. With GUIDs, the storage environmentcan also implement aliases, symbolic links, or shortcuts.

Systems, methods, and computer-readable storage media for encryptingcommunications containing or referencing globally unique identifiers toprevent unauthorized access to content item data, such as throughspoofing or ancillary information leakage. An example system configuredto practice the method can identify a communication, between a storageenvironment and a client device, associated with a globally uniqueidentifier for a content item stored in at least one of the storageenvironment and the client device. The content item can be addressablevia a globally unique identifier. Prior to transmitting thecommunication, the system can encrypt a portion of the communicationcontaining the globally unique identifier using an encryption key basedon a client-specific key and a secret version-specific key to yield anencrypted communication, and transmit the encrypted communication to theclient device.

BRIEF DESCRIPTION OF THE DRAWINGS

The principles of the present disclosure will become more explicitlyunderstood from the particular description of the principles disclosedwith reference to specific embodiments thereof which are illustrated inthe appended drawings. Understanding that these drawings depict onlyexemplary embodiments of the disclosure and are not therefore to beconsidered to be limiting of its scope, the principles herein aredescribed and explained with additional specificity and detail throughthe use of the accompanying drawings in which:

FIG. 1 shows an exemplary configuration of devices and a network;

FIG. 2 shows an example client device and client application;

FIG. 3 shows an example flowchart for determining a GUID for a localcontent item change operation;

FIG. 4 shows an example method embodiment for implementing GUIDs in amulti-user network-based content management environment;

FIG. 5 shows an example method embodiment for a client requesting acontent item by GUID;

FIG. 6 shows an example method embodiment for handling GUIDs withcontent item operations;

FIG. 7 shows an example method embodiment for maintaining consistentGUIDs for content items that are accessible via a synchronous interfaceand an asynchronous interface;

FIG. 8 shows an example method embodiment for inferring move and copyrelationships between content items and updating GUIDs accordingly;

FIG. 9 shows an example method embodiment for encrypting GUIDs atcommunication boundaries at a server side;

FIG. 10 shows an example method embodiment for encrypting GUIDs atcommunication boundaries at a client side;

FIG. 11 shows an example method embodiment for encrypting GUIDs based oncommunication type;

FIG. 12 shows an example method embodiment for maintaining currency andconsistency in GUID operations;

FIG. 13A shows a conventional system bus computing system architecture;and

FIG. 13B shows a computer system having a chipset architecture.

DESCRIPTION

Various embodiments of the disclosure are discussed in detail below.While specific implementations are discussed, it should be understoodthat this is done for illustration purposes only. A person skilled inthe art will recognize that other components and configurations may beused without departing from the spirit and scope of the disclosure.

The present disclosure provides additional flexibility and functionalityfor multi-user network-based content management environments by the useof GUIDs. A GUID is a globally unique identifier for a content itemwithin a particular storage space, storage domain, content item objectspace, or other space for storing content items. The storage space caninclude the entire available storage in a storage environment or aportion thereof. The storage environment can provide accounts for userswhich can store and access their own content items in the storageenvironment. For example, a user can upload content items to the storageenvironment via a web interface or a native storage environment clientapplication on a computer or other computing device. After the contentitems are uploaded to the account, the user can access those contentitems via their account from virtually any other network-enabledcomputing device. The user can also share content items or folders intheir account with other users. Thus, the storage environment canmaintain different user accounts for different users, each of which cancontain numerous content items, folders, and metadata. Each item in thestorage environment can be associated with a GUID.

Exemplary system configuration 100 is shown in FIG. 1, whereinelectronic devices communicate via a network for purposes of exchangingcontent and other data. The network can be configured in a wide varietyof configurations that facilitate the intercommunication of electronicdevices, such as a wide area network, local area network, wirelessnetwork, etc. For example, each of the components of system 100 in FIG.1 can be implemented in a localized or distributed fashion in a network.

In system 100, a user can interact with content management system 106through client devices 102 ₁, 102 ₂, . . . , 102 _(n) (collectively“102”) connected to network 104 by direct and/or indirect communication.Content management system 106 can support connections from a variety ofdifferent client devices, such as desktop computers; mobile computers;mobile communications devices, e.g. mobile phones, smart phones,tablets; smart televisions; set-top boxes; and/or any other networkenabled computing devices. Client devices 102 can be of varying type,capabilities, operating systems, etc. Furthermore, content managementsystem 106 can concurrently accept connections from and interact withmultiple client devices 102.

A user can interact with content management system 106 via a client-sideapplication installed on client device 102 _(i). In some embodiments,the client-side application can include a content management systemspecific component. For example, the component can be a stand-aloneapplication, one or more application plug-ins, and/or a browserextension. However, the user can also interact with content managementsystem 106 via a third-party application, such as a web browser, thatresides on client device 102 _(i) and is configured to communicate withcontent management system 106. In either case, the client-sideapplication can present a user interface (UI) for the user to interactwith content management system 106. For example, the user can interactwith the content management system 106 via a client-side applicationintegrated with the content item system or via a webpage displayed usinga web browser application.

Content management system 106 can make it possible for a user to storecontent, as well as perform a variety of content management tasks, suchas retrieve, modify, browse, and/or share the content. Furthermore,content management system 106 can make it possible for a user to accessthe content from multiple client devices 102. For example, client device102 _(i) can upload content to content management system 106 via network104. The content can later be retrieved from content management system106 using the same client device 102 _(i) or some other client device102.

To facilitate the various content management services, a user can createan account with content management system 106. The account informationcan be maintained in user account database 150. User account database150 can store profile information for registered users. In some cases,the only personal information in the user profile can be a usernameand/or email address. However, content management system 106 can also beconfigured to accept additional user information.

User account database 150 can also include account managementinformation, such as account type, e.g. free or paid; usage information,e.g. file edit history; maximum storage space authorized; storage spaceused; content storage locations; security settings; personalconfiguration settings; content sharing data; etc. Account managementmodule 124 can be configured to update and/or obtain user accountdetails in user account database 150. The account management module 124can be configured to interact with any number of other modules incontent management system 106.

An account can be used to store content, such as documents, text files,audio files, video files, etc., from one or more client devices 102authorized on the account. The content can also include folders ofvarious types with different behaviors, or other mechanisms of groupingcontent items together. For example, an account can include a publicfolder that is accessible to any user. The public folder can be assigneda web-accessible address. A link to the web-accessible address can beused to access the contents of the public folder. In another example, anaccount can include a photos folder that is intended for photos and thatprovides specific attributes and actions tailored for photos; an audiofolder that provides the ability to play back audio files and performother audio related actions; or other special purpose folders. Anaccount can also include shared folders or group folders that are linkedwith and available to multiple user accounts. The permissions formultiple users may be different for a shared folder.

The content can be stored in content storage 160. Content storage 160can be a storage device, multiple storage devices, or a serveradministered by content storage 160. Alternatively, content storage 160can be a cloud storage provider or network storage accessible via one ormore communications networks. Content management system 106 can hide thecomplexity and details from client devices 102 so that client devices102 do not need to know exactly where the content items are being storedby content management system 106. In one variation, content managementsystem 106 can store the content items in the same folder hierarchy asthey appear on client device 102 _(i). However, content managementsystem 106 can store the content items in its own order, arrangement, orhierarchy. Content management system 106 can store the content items ina network accessible storage (SAN) device, in a redundant array ofindependent disks (RAID), etc. Content storage 160 can store contentitems using one or more partition types, such as FAT, FAT32, NTFS, EXT2,EXT3, EXT4, ReiserFS, BTRFS, and so forth.

Content storage 160 can also store metadata describing content items,content item types, and the relationship of content items to variousaccounts, folders, or groups. The metadata for a content item can bestored as part of the content item or can be stored separately. In onevariation, each content item stored in content storage 160 can beassigned a system-wide unique identifier.

Content storage 160 can decrease the amount of storage space required byidentifying duplicate content items or duplicate segments of contentitems. Instead of storing multiple copies, content storage 160 can storea single copy and then use a pointer or other mechanism to link theduplicates to the single copy. Similarly, content storage 160 can storecontent items more efficiently, as well as provide the ability to undooperations, by using a content item version control that tracks changesto content items, different versions of content items (includingdiverging version trees), and a change history. The change history caninclude a set of changes that, when applied to the original content itemversion, produce the changed content item version.

Content management system 106 can be configured to support automaticsynchronization of content from one or more client devices 102. Thesynchronization can be platform agnostic. That is, the content can besynchronized across multiple client devices 102 of varying type,capabilities, operating systems, etc. For example, client device 102_(i) can include client software, which synchronizes, via asynchronization module 132 at content management system 106, content inclient device 102 _(i)'s content item system with the content in anassociated user account. In some cases, the client software cansynchronize any changes to content in a designated folder and itssub-folders, such as new, deleted, modified, copied, or moved contentitems or folders. The client software can be a separate softwareapplication, can integrate with an existing content managementapplication in the operating system, or some combination thereof. In oneexample of client software that integrates with an existing contentmanagement application, a user can manipulate content directly in alocal folder, while a background process monitors the local folder forchanges and synchronizes those changes to content management system 106.Conversely, the background process can identify content that has beenupdated at content management system 106 and synchronize those changesto the local folder. The client software can provide notifications ofsynchronization operations, and can provide indications of contentstatuses directly within the content management application. Sometimesclient device 102 _(i) may not have a network connection. In thisscenario, the client software can monitor the linked folder for contentitem changes and queue those changes for later synchronization tocontent management system 106 when a network connection is available.Similarly, a user can manually stop or pause synchronization withcontent management system 106.

A user can also view or manipulate content via a web interface generatedand served by user interface module 122. For example, the user cannavigate in a web browser to a web address provided by contentmanagement system 106. Changes or updates to content in the contentstorage 160 made through the web interface, such as uploading a newversion of a content item, can be propagated back to other clientdevices 102 associated with the user's account. For example, multipleclient devices 102, each with their own client software, can beassociated with a single account and content items in the account can besynchronized between each of the multiple client devices 102.

Content management system 106 can include a communications interface 120for interfacing with various client devices 102, and can interact withother content and/or service providers 109 ₁, 109 ₂, . . . , 109 _(n)(collectively “109”) via an Application Programming Interface (API).Certain software applications can access content storage 160 via an APIon behalf of a user. For example, a software package, such as an app ona smartphone or tablet computing device, can programmatically make callsdirectly to content management system 106, when a user providescredentials, to read, write, create, delete, share, or otherwisemanipulate content. Similarly, the API can allow users to access all orpart of content storage 160 through a web site.

Content management system 106 can also include authenticator module 126,which can verify user credentials, security tokens, API calls, specificclient devices, and so forth, to ensure only authorized clients andusers can access content items. Further, content management system 106can include analytics module 134 that can track and report on aggregatecontent item operations, user actions, network usage, total storagespace used, as well as other technology, usage, or business metrics. Aprivacy and/or security policy can prevent unauthorized access to userdata stored with content management system 106.

Content management system 106 can include sharing module 130 formanaging sharing content publicly or privately. Sharing content publiclycan include making the content item accessible from any computing devicein network communication with content management system 106. Sharingcontent privately can include linking a content item in content storage160 with two or more user accounts so that each user account has accessto the content item. The sharing can be performed in a platform agnosticmanner. That is, the content can be shared across multiple clientdevices 102 of varying type, capabilities, operating systems, etc. Thecontent can also be shared across varying types of user accounts.

In some embodiments, content management system 106 can include a contentitem management module 128 for maintaining a content directoryidentifying the location of each content item in content storage 106.The content directory can include a unique content entry for eachcontent item stored in the content storage.

A content entry can include a content path that can be used to identifythe content item. For example, the content path can include the name ofthe content item and a folder hierarchy associated with the contentitem. For example, the content path can include a folder or path offolders in which the content item is placed as well as the name of thecontent item. Content management system 106 can use the content path topresent the content items in the appropriate folder hierarchy.

A content entry can also include a content pointer that identifies thelocation of the content item in content storage 160. For example, thecontent pointer can include the exact storage address of the contentitem in memory. In some embodiments, the content pointer can point tomultiple locations, each of which contains a portion of the contentitem.

In addition to a content path and content pointer, a content entry canalso include a user account identifier that identifies the user accountthat has access to the content item. In some embodiments, multiple useraccount identifiers can be associated with a single content entryindicating that the content item has shared access by the multiple useraccounts.

To share a content item privately, sharing module 130 can be configuredto add a user account identifier to the content entry associated withthe content item, thus granting the added user account access to thecontent item. Sharing module 130 can also be configured to remove useraccount identifiers from a content entry to restrict a user account'saccess to the content item.

To share content publicly, sharing module 130 can be configured togenerate a custom network address, such as a uniform resource locator(URL), which allows any web browser to access the content in contentmanagement system 106 without any authentication. To accomplish this,sharing module 130 can be configured to include content identificationdata in the generated URL, which can later be used to properly identifyand return the requested content item. For example, sharing module 130can be configured to include the user account identifier and the contentpath in the generated URL. Upon selection of the URL, the contentidentification data included in the URL can be transmitted to contentmanagement system 106 which can use the received content identificationdata to identify the appropriate content entry and return the contentitem associated with the content entry.

In addition to generating the URL, sharing module 130 can also beconfigured to record that a URL to the content item has been created. Insome embodiments, the content entry associated with a content item caninclude a URL flag indicating whether a URL to the content item has beencreated. For example, the URL flag can be a Boolean value initially setto 0 or false to indicate that a URL to the content item has not beencreated. Sharing module 130 can be configured to change the value of theflag to 1 or true after generating a URL to the content item.

In some embodiments, sharing module 130 can also be configured todeactivate a generated URL. For example, each content entry can alsoinclude a URL active flag indicating whether the content should bereturned in response to a request from the generated URL. For example,sharing module 130 can be configured to only return a content itemrequested by a generated link if the URL active flag is set to 1 ortrue. Thus, access to a content item for which a URL has been generatedcan be easily restricted by changing the value of the URL active flag.This allows a user to restrict access to the shared content item withouthaving to move the content item or delete the generated URL Likewise,sharing module 130 can reactivate the URL by again changing the value ofthe URL active flag to 1 or true. A user can thus easily restore accessto the content item without the need to generate a new URL.

While content management system 106 is presented with specificcomponents, it should be understood by one skilled in the art, that thearchitectural configuration of system 106 is simply one possibleconfiguration and that other configurations with more or less componentsare also possible. For example, content management system 106 canimplement GUIDs for stored content items, such as files. Client devices102 can include a client application that communicates, via network 104,with content management system 106 to synchronize content items storedin data storage 160 and GUIDs associated with the content items. Clientdevice 102 can include an operating system that maintains uniqueidentifiers for the content items according to an operating systemschema that may be different from the GUIDs maintained for use withcontent management system 106.

Content management system 106 can include, such as part ofcommunications interface 120 and/or content item management module 128,a synchronous client interface and an asynchronous client interface forclient devices 102 to access content items through content managementsystem 106. Content management system 106 can also include a GUIDgenerator, and a GUID processor for resolving GUID conflicts for GUIDsgenerated by the various client devices 102 in an asynchronous accessmodel. Further, content management system 106 can include an encryptionmodule that assists in securing GUID transmissions at communicationboundaries.

FIG. 2 shows an example client device 200 and client application 216installed or running on client device 200. Client device 200 can includeGUID generator 208. GUID generator 208 can generate proposed GUIDs forlocal content item operations that require a new GUID. However, contentmanagement system 106 can maintain the canonical GUID records.Therefore, any GUIDs proposed by GUID generator 208 may be accepted orreplaced by content management system 106. The client device can includeoperating system specific unique identifiers for content items stored indata storage 160. Client device 200 can include encryption module 206for communicating with content management system 106, either bydecrypting encrypted GUID transmissions from content management system106 or by encrypting GUID transmissions to content management system106. Client device 200 can include temporary storage area 210 for use inperforming certain content item operations, such as an edit operation ora copy operation. Client device 200 can include web browser 204 foraccessing content management system 106 without using client application216.

In one example, content management system 106 can represent GUIDs as128-bit integers, each of which identifies a specific content itemobject in content management system 106, but GUIDs can be represented asshorter or longer integers or as other representations that are notstrictly numeric, such as an alphanumeric string. Some example randomlygenerated 128-bit GUIDs are provided below, in hexadecimal form:

-   -   a717d6c3-9797-40d5-8300-55e894e5bd59    -   0aa3ed5f-e0bc-4069-aa72-9856407850f8    -   02126692-1a75-459e-908e-bbf0421ca045    -   9b195a0c-3ce7-49 db-8a95-bc5c027192a5    -   292370cf-ea26-4202-86f5-047f93e9ca51

GUIDs allow content management system 106 to model each namespace as aset of content item objects with unique identifiers instead of as adirectory-based hierarchy of content items. GUIDs can include one ofthree potential relationships. The first relationship is one GUID tomany content item revisions, modeled as (rev_id, ns_id, sj_id). Contentmanagement system 106 can track mappings of a GUID to a current path ofthe content item in content management system 106, modeled as (ns_id,path). This mapping may not exist or may be null if the content itemobject is not currently located anywhere in content management system106, such as a GUID for a content item that previously existed but hassince been deleted. The first relationship maps a GUID to a sequence ofcontent item revisions for a content item object designated by thatGUID. Revisions and content item objects can span multiple storagenamespaces. In one embodiment, rev_id is a monotonically increasinginteger that indicates the order of the revisions for that GUID.

The second relationship is one GUID to one or zero content item paths,and the third relationship is one GUID to one or zero branch points,which are similar. These relationships can be modeled as (guid, rev_id).The second and third relationships can map a GUID to another GUID at thepoint that the corresponding content item object was copied. Thisoriginal GUID can be called a “parent GUID.” GUIDs that lack a parentGUID can represent content item objects that were not derived from othercontent items. Content management system 106 can store these GUIDrelationships in one or more GUID databases, or can store these GUIDrelationships as metadata associated with the GUIDs or with the contentitem objects.

Content management system 106 may adjust or modify GUID assignments whenperforming logical operations on content items in the file systemstructure. Several examples are provided below in terms of a genericapplication programming interface (API) for accessing data stored incontent management system 106. These example content item operations aredescribed in terms of user-level file system operations. In thiscontext, user-level means a high-level operation indicated by the user.Applications that access data via such an API may need to translateuser-level operations into the operations described below to interactcorrectly with a GUID-enabled content management system 106. Each of theexample operations described below can operate on an account withcontent management system 106 in the initial state shown below. Notethat the rev parameter in the API can correspond to a server journalidentifier (SJID) on a backend of content management system 106.

Format: <ns_id>:<rel_path> -> {<metadata_key>: <metadata_value>}0:/foo.txt -> {guid: 0, sj_id: 0, rev: “A”, is_dir: false, deleted:false} 0:/baz.txt -> {guid: 2, sj_id: 3, is_dir: false, deleted: true}0:/qux.txt -> {guid: 2, sj_id: 5, is_dir: false, deleted: true}0:/folder -> {is_dir: true, sj_id: 1, deleted: true} 0:/folder/bar.txt-> {guid: 1, sj_id: 2, rev: “B”, is_dir: false, deleted: false} Format:GUID:<GUID> -> [(<rev_id>, <ns_id>, <sj_id>)] GUID:0 -> [(0, 0, 0)]GUID:1 -> [(0, 0, 2)] GUID:2 -> [(1, 0, 5)]

Content management system 106 can accomplish a simple add operationaccording to an API call with the following input parameters:

root: “account-root” path: “/folder/baz.txt”

Based on these input parameters, content management system 106 cancreate a new content item located at “/folder/baz.txt”. Contentmanagement system 106 can give this content item a new GUID and thatGUID will not have any parent GUID association.

Content management system 106 can accomplish a simple edit operationaccording to an API call with the following input parameters:

root: “account-root” path: “/foo.txt” parent_rev: “A” (same as currentrev)

Content management system 106 can retain the same GUID for the contentitem at /foo.txt, and add a new revision as indicated by the inputparameters. Content management system 106 can perform some consistencychecking to ensure that the revision indicated in the input parametersis valid, such as checking if a parent revision exists before linking acurrent revision to the parent revision.

Content management system 106 can accomplish a conflicted edit operationaccording to an API call with the following input parameters:

root: “account-root” path: “/foo.txt” parent_rev: “C” (different fromcurrent rev)

Because the parent_rev parameter does not match the current parent_revof “foo.txt”, content management system 106 can create a new contentitem, such as “foo (conflicted copy).txt”. This new content item canhave a new GUID pointing to the parent GUID 0, at rev_id 0.

Content management system 106 can accomplish a simple copy operationaccording to an API call with the following input parameters:

root: “account-root” from_path:“/foo.txt” to_path: “/folder/baz.txt”

Content management system 106 can create a new content item at“/folder/baz.txt” and assign the new content item a new GUID. The GUIDof the new content item will have a parent GUID 0, at rev_id 0.

Content management system 106 can accomplish a simple move operationaccording to an API call that provides the following input parameters:

root: “account-root” from_path: “/foo.txt” to_path: “/folder/baz.txt”

Content management system 106 can move the content item “/foo.txt” to“/folder/baz.txt”. The content item at “/folder/baz.txt” can keep theGUID 0 that was previously pointing to “/foo.txt”. The GUID 0 also nowhas another revision, (1, 0, 6), and the SJID becomes 6 because it isthe next consecutive SJID for the namespace 0.

Content management system 106 can accomplish a simple restore operationaccording to an API call with the following input parameters:

root: “account-root” path: “/qux.txt” (same as latest path for thisGUID)

Content management system 106 can restore the deleted content item“/qux.txt”, and can maintain the GUID 2 that the deleted content itemoriginally had. Further, content management system 106 can associateGUID 2 with an additional revision (2, 0, 6).

Content management system 106 can accomplish a conflicted restoreoperation according to an API call with the following input parameters:

root: “account-root” path: “/baz.txt” (different from latest path forthis GUID)

Content management system 106 can restore the content item “/baz.txt”,but the GUID 2 that the content item “/baz.txt” originally had was lastseen at a different path (“/qux.txt”). Content management system 106 canassign the content item “/baz.txt” a new GUID that points to the parentGUID 2 at the last rev_id for GUID 2 that was at “/baz.txt”, which inthis case is rev_id 0.

Having discussed some specific examples of content item operations, APIcalls, and corresponding actions performed by content management system106, the disclosure turns to several example scenarios illustratingplatform-specific details for implementing GUIDs in content managementsystem 106. Given the preceding description of how GUID assignmentschange as the file system is modified, content management system 106could propagate GUIDs correctly if the content items stored in contentmanagement system 106 were only accessible via a single, synchronousinterface. However, content management system 106 can also provide anasynchronous interface that allows users to make asynchronous changes tocontent items without mediation. The asynchronous approach can makecontent item manipulation very responsive, but it can also make GUIDpropagation difficult.

In one example implementation of the asynchronous approach, a user canmake changes to a content item stored at a local storage location, and aclient application can synchronize those changes to a copy of thecontent item that is stored at content management system 106. However,changes to the local file system can occur by third-party applicationsor by the operating system itself without the client application actingas a mediator. Thus, the client application may not have a definitiveway of knowing which content items are copies of other content items andwhich content items exist at specific locations because they were movedfrom other locations. The only information available to the clientapplication may be the presence and absence of content items at specificpath. The client application may not have move information. To propagateGUIDs properly in this environment, the content management system andthe client application may need some way to obtain or derive moveinformation between content items.

Due to the lack of move information, both the client application andcontent management system 106 synchronization logic has typically beenbased solely on presence and absence information, leading to an“eventually consistent system” that does not guarantee consistency atevery point in time between the local storage and content managementsystem 106. Instead the client application and content management system106 guarantee that at some point in the future, after all activity hasquiesced, the local storage will be consistent with what is stored incontent management system 106.

The client application and content management system 106 can infer moveand copy relationships between content items without directly mediatingall move and copy operations if a unique identifier can be derived foreach content item on the local file system. The semantics of such anideal unique identifier could be the same as GUIDs at content managementsystem 106 for at least some of the content item operations set forthabove. The ideal unique identifier in the local file system could followuser-level moves and edits of a content item, but copies would generatenew unique identifiers, for example. Then as the client applicationsynchronizes changes with content management system 106, the clientapplication can map the local file system identifier back to the lastknown GUID with which it was associated.

Microsoft® Windows® provides an Object ID that can serve as such anidealized unique identifier. Object IDs are preserved across edits aslong as applications implement their edit behavior using ReplaceFile( ).Mac® OS X® provides a similar concept called ATTR_CMN_OBJPERMANENTIDthat relies on applications using exchangedata( ) to implement editing.Unfortunately, such an ideal unique identifier is not universallyavailable, such as in Linux™-based operating systems and rare filesystems on Mac® OS X® that don't support exchangedata( ). When no suchequivalent for the idealized unique identifier exists, the clientapplication or content management system 106 can approximate thesespecial identifiers using a set of heuristics and a combination of indexnode (inode) numbers and extended file attributes (xattrs). However,inodes may or may not follow user-level edits, and xattrs, which are amodern file system interface that support application-defined filemetadata that generally follow edits, moves, and copies, may be prone toerror.

Both the client application and content management system 106 cantransmit and assign GUIDs to one another, and these GUIDS aresynchronized between the client application and content managementsystem 106. An example implementation of a GUID-based architecture canbe built on existing, non-GUID-based content item synchronizationinfrastructure. In this implementation, content management system 106can hold the canonical state of each account. Client application(s) canattempt to modify the content management system state in response tolocal changes and what the client application considers to be thecurrent state of content management system 106. With respect to GUIDs,content management system 106 and the client application can beresponsible for different functionality. Content management system 106can be responsible for deciding the canonical GUID assignments and theclient application can be responsible for tracking the location of apreviously assigned GUID and updating content management system 106 withthe new location when content items are moved or edited. Contentmanagement system 106 can treat the GUID information received from theclient application as a strong hint. However, as the central coordinatorfor making canonical GUID assignments, content management system 106 canstill be free to give any GUID to any content item. Client devices thataccess content items stored in the account at content management system106 via an API or via a web interface may not play a part in the GUIDassigning system outside of transparently propagating GUIDs across movesand edits using the higher-level APIs described above because they aresynchronous access schemes and not asynchronous.

When migrating from an existing synchronization infrastructure that wasbuilt around path-based lookup, content management system 106 canassociate GUIDs with paths as extra metadata or extended attributes.Extended attributes can associate arbitrary key-value pairs, calledxattrs, with content items. Content management system 106 and the clientapplication can transmit GUIDs between each other as xattrs.Transmitting GUIDs in this way can allow for transparent support ofnon-GUID-aware clients, such as clients on older systems or clients whohave not yet upgraded to a GUID-aware version of the client application.The form and semantics of extended attributes for GUID tracking on olderclients may depend heavily on the specific combination of applicationversion, file system type, and operating system version being used atthe clients. In most cases, xattrs are carried across all edits, moves,and copies. Content management system 106 can implement logic to handlemultiple copies with the same GUID by assigning each of the multiplecopies a new GUID.

On GUID-aware clients, extended attributes can associate a GUID with acontent item in the internal sync logic and can guide transmission ofGUIDs between content management system 106 and the client application.When syncing changes to the local file system, in addition to persistingthe GUID with the content item using the native xattr system, the clientapplication can further associate the local file system uniqueidentifier with content management system GUID in a separate localdatabase. When syncing local changes back up to content managementsystem 106, the client application can read in the local identifier andlookup content management system GUID in the local database.

Two example approaches for synchronizing content items and GUIDs betweencontent management system 106 and the client application can becommit_batch( ) and list( ). commit_batch( ) can be the ultimateendpoint for mutating content items in an account. list( ) can be usedto retrieve all changes to an account that have happened after somepoint. All GUID bookkeeping and assignment can occur in thecommit_batch( ), and the client application can retrieve canonical GUIDassignments from content management system 106 via list( ). For thepurposes of describing the implementation of GUIDs, an explanation ofthe interfaces and the extensions made to commit_batch( ) and list( ) inorder to support GUIDs is provided below.

The interface to commit_batch( ) can be simple, even thoughcommit_batch( ) internally can be very complex. Commit_batch( ) canaccept a list of dictionaries of content item metadata to be added tothe account, keyed by namespace ID and path. Commit_batch( ) can performbest when called to modify only a single namespace because namespacesare partitioned across many databases. Modifying a single namespace canlimit the amount of databases the server has to interact with. Anexample usage of commit_batch( ) in Python is provided below:

content item_metadata = [{‘ns_id’ : 0,          ‘path’ : “/foo.txt”,         # `blocklist` defined somewhere else           ‘blocklist’ :blocklist,           ‘size’ : 4 * 1024 * 1024,           ‘mtime’ :1340067856,           ‘is_dir’ : False,          # `guid_xattr` definedsomewhere else           ‘attrs’ : {‘account-root’ :            {‘guid’:            {‘data’ : guid_xattr}}},           ‘target_ns’ : None,         # when “parent” attributes don't match the          # currentlatest version for the path then the          # server returns‘conflict’, (None means this          # change derives from no earlierserver version)           ‘parent_attrs’ : None,          ‘parent_blocklist’ : None}] ret = commit_batch(contentitem_metadata) commit_result = ret[‘results’][0] ifisinstance(commit_result, (int, long)):    print “Commit was successful!sjid: %r” % (commit_result,) else:    print “Commit was not successful!error: %r” % (commit_result,)

This example demonstrates that the GUID xattr for the content item canbe stored in the guid_xattr variable and sent up in the attrs key of themetadata dictionary used as input to commit_batch( ). The GUID sent uphere only serves as a hint, as set forth above. If it conflicts withanother GUID already assigned by content management system 106, thiscontent item might be assigned a new GUID.

In addition to the path to GUID mappings provided by the extendedattributes system, content management system 106 can track severalrelated mappings, such as the one GUID to many revisions and one GUID toone branch point mapping discussed above. Modifications to commit_batch() can accommodate updating these mappings when changes to a contentitems in an account occur. Performing the GUID bookkeeping synchronouslywith commit_batch( ) can ensure that at every point in time the GUIDstate is always consistent with the state of every account.

In one example, the modified assignment logic can filter all of the newrows to the server_file_journal (SFJ) table generated by commit_batch( )through another layer of logic that can responsible for updating therelevant tables that store the GUID mappings. However, the modifiedassignment logic can alternatively modify other tables or can beincorporated as part of an existing table. If content management system106 could trust the path/GUID associations sent by the clientapplication, content management system 106 could update the GUIDmappings relatively easily just from the new “inserts” to SFJ generatedby commit_batch( ). Unfortunately, some client applications may not havestrong GUID tracking mechanisms, such as the older client applicationversions or Linux™ clients discussed above. Content management system106 can verify that the content items are not being committed withconflicting GUIDs. Further, commit_batch( ) can include or invoke someadditional heuristics to decide what GUID to give a content item. Thismay be especially important when a client tries to commit a GUID thatconflicts with another content item in order to correct the conflict andassign proper GUIDs for one or both of the conflicting content items.Table 1 below shows some example heuristics, a short description of thesituation in which the example heuristics may apply, and a correspondingresult of applying the heuristic to a GUID conflict.

TABLE 1 Heuristic Name Description Result simple-retain The path isbeing committed with a GUID that Insert path gets is already assigned toit. attempted GUID simple-carry Only two inserts are in this insertbatch: the Insert path gets path that had the GUID is being deleted andattempted GUID another path is being committed with that GUID.simple-carry-with-adds A modification of simple-carry, except thereInsert path gets are only many other unrelated adds being attempted GUIDinserted. simple-carry-with-deletes Similar to simple-carry, exceptthere are only Insert path gets many unrelated deletes being inserted.attempted GUID simple-carry-with-many Similar to simple-carry, exceptthere are many Insert path gets other unrelated changes. attempted GUIDdirectory-carry Similar to simple-carry except that instead of Insertpath gets the previous path with the GUID being deleted, attempted GUIDit is instead being committed as a directory. lost-carry Similar tosimple-carry except that instead of Insert path gets the previous pathwith the GUID being deleted, attempted GUID it is instead beingcommitted without any GUID. simple-unmapped The GUID being attempted forthis content Insert path gets item isn't currently assigned to any otherpath attempted GUID and this is the only path attempting to get thisGUID. simple-preexisting Only a single content item in this insert batchis Insert path gets being committed with this GUID but this GUID newGUID is already assigned to another content item complex-retain Manycontent items in the insert batch are Insert path gets attempting toobtain this GUID but this content attempted GUID item has the same pathas the current content item with this GUID. complex-preexisting Manycontent items in the insert batch are Insert path gets attempting toobtain this GUID. new GUID complex-preexisting- Similar tocomplex-preexisting except that the Insert path gets with-real actualholder of this GUID is included in the new GUID insert batch.simple-restore File is being restored and attempts a GUID that Insertpath gets was last seen at the same path. attempted GUIDrestore-preexisting File is being restored and attempts a GUID thatInsert path gets was last seen at a different path. new GUID

An additional modification to commit_batch( ) can change the returnvalue to return the final GUID assignment for each content item in itsresult dictionary. This modification can be similar to how commit_batch() returns the list of assigned SJIDs in the order that content itemswere submitted in the input list. But instead, the modifiedcommit_batch( ) can return a list of assigned GUIDs in the same order.This modification can allow the client application to eagerly associatelocal content item IDs, such as the native GUID or inode, with thecanonical GUID maintained by content management system 106.

The interface to list( ) can be modified to accommodate GUIDs as well.Unlike commit_batch( ) list( ) can be simple in both implementation andinterface. The interface for list( ) can accept a dictionary thatrepresents a mapping from namespace ID to SJID and returns all latestcontent item metadata. For example, the content item metadata can bestored in a format similar to the input to commit_batch( ). Thedictionary can include mappings for each path for each namespace thathas an SJID larger than the input SJID for the corresponding namespace,for example. Essentially list( ) can perform a query similar to theexample database query provided below:

SELECT * FROM server_file_journal WHERE ns_id = %(ns_id)s AND latest = 1AND id > %(13sjid);

The interface to list( ) can be modified to communicate GUIDs back tothe client device in the space where xattrs are sent down. Further,list( ) can transform GUIDs from their native form before being sentdown to the client.

Either content management system 106 or the client application cangenerate new GUIDs. GUIDs can be generated according to some algorithmor for a particular range. For example, content management system 106can assign a client application a specific range within which togenerate new GUIDs either serially, randomly, or according to somealgorithm. In one embodiment, either content management system 106 orthe client application can generate new GUIDs randomly according to theUUID4 algorithm in Python in order to avoid GUID collisions.

After a GUID is generated, content management system 106 can serializeand transmit the GUID to the client application, or vice versa. Whenserialized into an xattr for the storage backend, content managementsystem 106 can store the UUID.bytes attribute of the GUID. To maketargeted GUID spoofing more difficult content management system 106 canalso encrypt each GUID at the communication boundary with each externalclient, such as client applications and clients that access contentmanagement system 106 via API calls or a web interface. The encryptionkey can be derived from the concatenation of a client-specific key and asecret version-specific encryption key, for example. For clientapplications or a web interface, the client-specific key can be the userID of the client accessing the data. For API applications, theclient-specific key can be a combination of the application ID and theuser ID of the user on whose behalf the API application is acting.Content management system 106 can implement AES encryption, for example,to encrypt the GUID with a key derived using bcrypt on the relevantencryption key. Content management system 106 can sign this encryptedkey by appending an HMAC using a bcrypt derived key from theconcatenation of a secret version-specific “sign key” and theclient-specific key. Pseudo code for this process is provided below:

def encrypt_guid(guid):    encrypt_key = ENCRYPT_KEYS[VERSION]   sign_key = SIGN_KEYS[VERSION]    client_key = hex(user_id) +(hex(app_id) if IS_API_APP( )    else ‘’)    d_encrypt_key =bcrypt(client_key, salt=encrypt_key)    encrypted_guid = aes(str(guid),d_encrypt_key)    to_sign = encrypted_guid + ord(VERSION)    d_sign_key= bcrypt(client_key, salt=sign_key)    signature = hmac_sha256(to_sign,d_sign_key)    # length should be 16 + 1 + 15 == 32    return to_sign +signature[:15]

This encryption process can provide for each user, and applicationsacting on behalf of users, a distinct view of the GUID space. Thisprevents application developers from sharing GUIDs across applicationsand users. This process also prevents GUIDs from syncing across userinstallations of the client application.

Turning now to the storage backend, or where content management system106 actually stores the content items, GUIDs, and other metadata, theGUID backend can use three major mappings: one GUID to many revisions,one GUID to one or zero content item paths, and one GUID to one or zerobranch points. In one implementation, the storage backend maintainsthese mappings in three database tables: guid_revision, guid_path, andguid_parent. If no row exists in the guid_path table for a specific GUIDor the associated columns are 0 (“ ” for the filename column), thestorage backend can assume that no path is currently associated withthat GUID. These tables may be sharded across multiple physicalcomputing devices using a prefix of the GUID as a key into a globaltable that maps from this prefix to the corresponding computing devicecontaining the shard. The length of the prefix used for the shard keydepends on the number of shards available. The prefix of newly generatedGUIDs can be uniformly distributed so that GUID storage is evenly spreadout across the shards.

Content management system 106 can get the latest revision row for aGUID, by executing a query such as the following:

-   -   SELECT * FROM guid_latest WHERE guid=% (guid)s;

Content management system 106 can carry out this query, as well asmaintain the guid_latest table, instead of performing a “group by” queryon the maximum rev_id in the guid_revision table, to limit the amount ofdisk pages kept in a page cache of a database server. Even though the“group by” query would be efficient from the perspective of purely doingdisk TO, because of the layout of the indexes on disk, the amount oflatest rows per page in cache is likely to be much lower compared to theamount of latest rows per page from the guid_latest table. A row in theguid_latest table where the parent_hash and the filename columns areNULL indicates that the GUID is not currently mapped to any location incontent management system 106 file system. It is an error for theparent_hash column to be NULL and filename column to not be NULL orvice-versa.

When restoring a content item, content management system 106 candetermine the latest rev_id at which the GUID was seen at that path.Content management system 106 can perform a “group by” query on themaximum rev_id for that GUID at that path in the guid_revision table. Anexample query is provided below:

SELECT guid, max(rev_id) FROM guid_revision WHERE guid = %(guid) ANDparent_hash = %(parent_hash) AND filename = %(filename) GROUP BY guid;

Content management system 106 can further ensure concurrency,consistency, and locking of the GUIDs while performing GUID operations.To ensure consistency between the GUID tables, content management system106 can permit only a single writer to modify the state of any singleGUID at any given point in time. Content management system 106 canimpose a strong consistency requirement for GUIDs with the state of theserver_file_journal table. A GUID cannot be removed from or added to anamespace without ensuring that the consistent operation happensatomically with server_file_journal and vice-versa. To ensure thisconsistency, content management system 106 can require that allmodifications to the state of any GUID occur within a doubly-nestedcritical region where a mutex is first acquired for the namespace to bemodified and then another mutex is acquired for the GUID to be modified.

As part of the current scheme for ensuring consistency within a specificnamespace, commit_batch( ) can acquire a mutex for each namespace thatit modifies. To further ensure consistency for GUIDs, commit_batch( )can acquire a mutex for every GUID that will be modified during therequest. Content management system 106 can implement application-levellocks for GUIDs, but because application-level locks are limited to asingle application-level lock on a connection at a time, contentmanagement system 106 can optionally use row-level locks to implementthe GUID mutex. For example, content management system 106 can obtain arow-level lock on each row of the guid_path table, and before obtainingthe lock content management system 106 can ensure the row exists in thetable, as shown below:

INSERT IGNORE INTO guid_path (guid) VALUES (%(guid)s); SELECT 1 FROMguid_path WHERE guid = %(guid)s FOR UPDATE;

For a commit_batch( ), content management system 106 can acquire a GUIDlock for every GUID that the client application is attempting to assign,as well as a lock for every GUID that is becoming abandoned as a resultof paths being deleted or converted into directories or otherwise beinggiven a new GUID. The set of GUIDs that content management system 106 istrying to assign to is easily derivable from the input to commit_batch(). The set of GUIDs that are being abandoned can be derived from theprevious latest SFJ entry for each of the paths. Since contentmanagement system 106 acquires the namespace locks first, thisinformation is queryable before acquiring the GUID locks. Thus, thestate of server_file_journal and the xattr table should be consistentwith the GUID table. Since the GUID tables and server_file_journal arelocated on different machines, content management system 106 can querythe guid_path table and ensure that latest paths are consistent withwhat was in the server_file_journal. If not, then content managementsystem 106 can assume that path had no previous GUID, otherwise thatGUID is available for reassignment in commit_batch( ).

The client application can make changes to the local file system bycreating a new content item in a temporary content item stored in acache location or cache directory. Then, when the temporary content itemis ready, the client application moves the original content item to thetemporary space and then moves the temporary content item to thelocation of the original. This approach does not preserve inode data onMac® OS X® or the Object ID on Windows®, which are the native GUIDmechanisms on these operating systems. To limit the potential impact theclient application can make modify or intercept the appropriateOS-native calls that implement GUID mechanisms to preserve theseidentifiers. For example, on Mac® OS X®, the client application canmodify or intercept the inode-preserving file update system callexchangedata( ). On Windows®, the client application can modify orintercept the system call ReplaceFile( ).

FIG. 3 shows an example logical flow 300 for determining a GUID based ona local content item change at a client, as reported by the clientapplication in an asynchronous access model. This logical flow 300 canguide all or part of how the client application modifies or interceptsthe system calls referenced above. The client application can firstdetermine if the file system supports GUIDs (302). If yes, then theclient application can check if the GUID exists in the local database(304) for a content item in question. If the GUID exists in the localdatabase, then the client application can use the GUID from the localdatabase (306). If the GUID does not exist in the local database, thenthe client application can check if xattr contains a GUID (308). Ifxattr contains a GUID, the client application can use the GUID in xattras the parent GUID (310). If not, then the client application can returnno GUID (312). If the client application determines that the file systemdoes not support GUIDs, then the client application can check if xattrhas a GUID (314). If so, the client application can use the GUID inxattr (316). If not, the client application can check if an inode existsin the local database (318). If so, the client application can use theGUID in the local database for that inode (320). If not, then the clientapplication can return no GUID (322). Additional modifications can bemade to the client's sync database (filecache.dbx) to persist the nativeGUID and inode associated with each content item's SJID and contentmanagement system GUID as content items are synced between the clientapplication and content management system 106 via commit_batch( ). Thisapproach can avoid raciness with the GUID assigning process at contentmanagement system 106 if a content item is changing rapidly while theGUID is being assigned at content management system 106 because theclient application communicates with content management system 106 tocoordinate assignment of GUIDs and to resolve GUID conflicts in advance.Consequently, the client application can perform this or similar logicbefore committing content items to content management system 106,instead of when content items are being read by the client application.

While GUIDs can provide a convenient way to uniquely reference aspecific content item and its revision history, metadata, and otherinformation, regardless of a specific path and content item name, thisapproach may expose new avenues for exploitation and cracking. Forexample, an attacker or malicious user may attempt unauthorized accessto content item data, GUID spoofing, or ancillary information leakage.An attacker may attempt to use GUIDs to gain access to content item datafor which the attacker is not authorized. Indirect leakage of otherwiseprivate information, such as information on whether or not a specificuser has had or currently has access to a specific content item object,may also be protected.

With respect to unauthorized access to content item data, theinformation an attacker can access if they have access to a GUID mayinclude all the revisions across all namespaces that the GUID hastraversed, the current content item location of the GUID, and the parentGUID. Content management system 106 can prohibit access to content itemdata to unauthenticated users unless a user who had access to that datahas explicitly made it public, such as via a “Public folder” or othersharing mechanism. For an authenticated user, content management system106 can grant access to all revisions of all content items in allnamespaces to which the authenticated user has access. The namespaces towhich a user has access can include the root namespace for that user andall currently subscribed shared folders. To maintain this level ofsecurity, content management system 106 may only grant users access torevision data of any GUID for the namespaces that a user currently hasaccess to, as well as anything derivable from that. This is a worst-casesecurity precaution because even if a user has acquired access to everyGUID in content management system 106, the user is still only allowedaccess to content items for which they have already be granted access,and nothing more.

With respect to GUID spoofing, because GUID propagation is influenced insome cases by data that is located in a per-content item local filesystem specific area (clients which do not have native GUID-likemechanisms already provided by the local file system) and that data isfreely available to any application running on that client, an attackermay theoretically artificially attach a GUID to a content item. This isthe only vector through which an attacker is able to provoke the systemto assign an arbitrary GUID to a content item within their control. Tolimit the impact of this attack, even if an attacker were tosuccessfully spoof a GUID in this way, the attacker would not actuallybe able to get access to content item data they would not normallyalready have access to. Content management system 106 can prevent GUIDspoofing by transmitting GUIDs to clients encrypted and signed based onthe user ID of the user that they are acting on behalf of, this makes itdifficult to spoof an arbitrary GUID retrieved from another source (e.g.a computer running an account linked to a different user, a GUIDretrieved via the API, etc.). Content management system 106 can furtherprevent GUID spoofing by ensuring that that commit_batch( ) will notallow the propagation of a GUID that is not in a namespace the useractually has access to. The only spoofing easily allowed given these twoprecautions is copying an obfuscated GUID wholesale from one contentitem to which the user already has access to another content item towhich the user has access. This attack does not grant the attacker anymore access than they already had and instead just makes the GUIDpropagation incorrect.

The threat of ancillary information leakage is that an attacker mayacquire information about an arbitrary GUID to which they do not alreadyhave access. Ancillary information leakage is discussed here in terms ofthe external interfaces. Users of the API or desktop client willencounter difficulty constructing arbitrary GUIDs that they have notalready seen. Instead of querying for metadata based on content itempath, the API can allow a user to query for the most recent metadatabased on GUID. For a GUID that is not currently at a content item paththat is accessible to the user that the API application is acting onbehalf of, this call can return error messages that mask whether aparticular content item exists, such as returning error 404 (not found)instead of error 403 (forbidden), to prevent accidental leakage aboutthe existence of the GUID in the global system. The other way anattacker may gain information about an arbitrary GUID is via a webinterface to content management system 106. To protect against thispotential vulnerability, the web interface does not show the user anycontent item revisions or other data derived from the GUID to which thatuser does not currently have access.

Having disclosed some system components and GUID concepts, thedisclosure now turns to the example method embodiments shown in FIGS.4-12. For the sake of clarity, each respective example method embodimentis described in terms of an example system 100, as shown in FIG. 1,configured to practice the method. The steps outlined herein areexamples and can be implemented in any combination thereof, includingcombinations that exclude, add, or modify certain steps.

FIG. 4 shows an example method embodiment for implementing GUIDs in amulti-user network-based content management environment. Contentmanagement system 106 can identify a content item at a location withindata storage (402), wherein each user of the system can have arespective user account assigned an amount of storage space withincontent management system 106. Content management system 106 cangenerate, for the content item, a globally unique identifier (404),wherein the globally unique identifier is unique within contentmanagement system 106. Content management system 106 can associate theglobally unique identifier, in an identifier database, with the contentitem, the location, and an authorized user (406), and propagate theglobally unique identifier to at least one client device associated withthe authorized user (408). Upon receiving a request for the globallyunique identifier, content management system 106 can provide to therequesting device at least one of the content item, a revision of thecontent item, the location, an attribute of the content item, ormetadata associated with the content item (410). Then content managementsystem 106 can optionally perform the content item revision on thecontent item and provide an updated GUID in response to the request(412).

FIG. 5 shows an example method embodiment for a client requesting acontent item by GUID. Client device 102, can identify a content item torequest (502) from a multi-user network-based content management system,such as content management system 106, wherein each user of the contentmanagement system is associated with a respective user account having anamount of storage space within the content management system. Thenclient device 102, can retrieve a globally unique identifier associatedwith the content item (504), and submit, to the content managementsystem, a request for the content item (506), wherein the requestreferences the content item by the globally unique identifier, andwherein the request is associated with credentials for a user accountassociated with the content item at the content management system. Thenclient device 102 _(i) can receive, from the content management systemand in response to the request, at least one of the content item, arevision of the content item, an apparent location of the content itemwithin the user account, an attribute of the content item, or metadataassociated with the content item (508). The request can further indicatean action to perform for the content item, such as a content item copy,a content item move, a content item rename, a content item delete, or acontent item synchronization operation between a client and the storageenvironment.

FIG. 6 shows an example method embodiment for handling GUIDs withcontent item operations. Client device 102 _(i) can identify a contentitem to request from content management system 106 (602), wherein eachuser of the content management system 106 can have a respective useraccount assigned an amount of storage space. Client device 102 _(i) canretrieve, from a client database, a globally unique identifierassociated with the content item (604), and submit, to the contentmanagement system 106, a request to perform a content item operation onthe content item (606), wherein the request references the content itemby the globally unique identifier, and wherein the request is associatedwith credentials for a user account associated with the content item atthe content management system 106. Then client device 102 _(i) canreceive, from content management system 106 a result of the content itemoperation and a new globally unique identifier (608). The client device102, can optionally update the client database with the new globallyunique identifier (610) and based on the result. In one variation, theclient device 102 _(i) can associate the globally unique identifier inthe client database with a parent globally unique identifier associatedwith a parent content item from which the content item was created. Thisparent-child relationship can indicate a revision history, or a sourceof a copied content item, for example. Further, the client database canmap the globally unique identifier to multiple revisions of the contentitem, which may span multiple namespaces within the storage environment.

FIG. 7 shows an example method embodiment for maintaining consistentGUIDs for content items that are accessible via a synchronous interfaceand an asynchronous interface. Content management system 106 can make acontent item available to an authorized user (702), wherein the contentitem is addressable via a globally unique identifier, wherein each userof content management system 106 can be associated with a respectiveuser account having an amount of storage space within the contentmanagement system 106, and wherein the content management system cansync copies of content items to one or more client devices. Contentmanagement system 106 can receive, from a client device, content itemchange information (704) derived from data generated by an operatingsystem function at the client device, and analyze the content itemchange information (706) to determine a corresponding action at contentmanagement system 106. Content management system 106 can implement thecorresponding action in the storage environment and optionally provide aconfirmation of the corresponding action to the client device (708).

FIG. 8 shows an example method embodiment for inferring move and copyrelationships between content items and updating GUIDs accordingly.Client device 102, can detect a content item change (802) at a localfile system in a synchronized folder, for example, and transmit, tocontent management system 106, content item change information (804).Client device 102, can receive a confirmation of the correspondingaction from content management system 106 (806), and update a GUID ofthe changed content item (808).

FIG. 9 shows an example method embodiment for encrypting GUIDs atcommunication boundaries at a server side. The server identifies acommunication (902), between a storage environment and a client device,associated with a GUID for a content item stored in at least one of thestorage environment or the client device. The server can encrypt theGUID (904) based on a client-specific key and a secret version-specifickey. In one embodiment, the server encrypts the entire communication,but may only encrypt the GUID portion or some other portion of thecommunication. Then the server can transmit the encrypted communicationto the client device (906) or authorize transmission by some otherentity or otherwise cause the encrypted communication to be sent to theclient.

FIG. 10 shows an example method embodiment for encrypting GUIDs atcommunication boundaries at a client side. Client device 102, canidentify a communication to content management system 106 associatedwith a GUID for a content item (1002). Client device 102, can encryptthe communication using an encryption key based on a client-specific keyand a secret version-specific key (1004). Then Client device 102 _(i)can transmit the encrypted communication to content management system(1006). Client device 102 _(i) can include an internal GUIDcryptographic module that can handle encryption and decryption, such asa cryptographic library or cryptographic routines incorporated as partof a client application for communicating with the storage environment.

FIG. 11 shows an example method embodiment for encrypting GUIDs based oncommunication type. The type of communication can be determined based ona source or intended recipient of the communication, a security levelfor a GUID, a communication protocol for the communication, whether anencryption flag is set, a content item type, and so forth. The examplein FIG. 11 is discussed in terms of a content item type, but theinitiating system can determine whether to encrypt a communication basedon any factor indicating the communication type, as well as determine anencryption strength or an encryption scheme. In one embodiment, theinitiator of the communication can indicate whether the communicationwill be encrypted. The system can identify a communication associatedwith a GUID for a content item 1102. The system can detect a contentitem type for the content item 1104. Then the system can encrypt thecommunication using an encryption key based on the content item type1106, and transmit the encrypted communication 1108.

FIG. 12 shows an example method embodiment for maintaining concurrencyand consistency in GUID operations, such as in an asynchronousenvironment where both a client device and a content management systemcan modify GUIDs for the same content items and attempt to laterreconcile those modifications. In one example, content management system106 can maintain a canonical list of GUIDs and revision histories forcontent items, but accept suggestions from a client device and canincorporate those suggestions that do not conflict with the GUIDinformation already at content management system 106. Content managementsystem 106 can receive a request to modify a GUID associated a contentitem maintained by content management system 106 (1202), wherein eachuser of content management system 106 is associated with a respectiveuser account having an amount of storage space within content managementsystem 106, and wherein content management system 106 can sync copies ofcontent items with one or more client devices. Content management system106 can then acquire a first mutex for a namespace associated with thecontent item (1204), and a second mutex for the GUID to be modified(1206). Then content management system 106 can modify the GUID (1208)according to the request. After the modification, content managementsystem 106 can release the first mutex and the second mutex (1210), andoptionally provide a confirmation in response to the request (1212).

FIG. 13A, and FIG. 13B illustrate exemplary possible system embodiments.The more appropriate embodiment will be apparent to those of ordinaryskill in the art when practicing the present technology. Persons ofordinary skill in the art will also readily appreciate that other systemembodiments are possible.

FIG. 13A illustrates a conventional system bus computing systemarchitecture 1300 wherein the components of the system are in electricalcommunication with each other using a bus 1305. Exemplary system 1300includes a processing unit (CPU or processor) 1310 and a system bus 1305that couples various system components including the system memory 1315,such as read only memory (ROM) 1320 and random access memory (RAM) 1325,to the processor 1310. The system 1300 can include a cache of high-speedmemory connected directly with, in close proximity to, or integrated aspart of the processor 1310. The system 1300 can copy data from thememory 1315 and/or the storage device 1330 to the cache 1312 for quickaccess by the processor 1310. In this way, the cache can provide aperformance boost that avoids processor 1310 delays while waiting fordata. These and other modules can control or be configured to controlthe processor 1310 to perform various actions. Other system memory 1315may be available for use as well. The memory 1315 can include multipledifferent types of memory with different performance characteristics.The processor 1310 can include any general purpose processor and ahardware module or software module, such as module 1 1332, module 21334, and module 3 1336 stored in storage device 1330, configured tocontrol the processor 1310 as well as a special-purpose processor wheresoftware instructions are incorporated into the actual processor design.The processor 1310 may essentially be a completely self-containedcomputing system, containing multiple cores or processors, a bus, memorycontroller, cache, etc. A multi-core processor may be symmetric orasymmetric.

To enable user interaction with the computing device 1300, an inputdevice 1345 can represent any number of input mechanisms, such as amicrophone for speech, a touch-sensitive screen for gesture or graphicalinput, keyboard, mouse, motion input, speech and so forth. An outputdevice 1335 can also be one or more of a number of output mechanismsknown to those of skill in the art. In some instances, multimodalsystems can enable a user to provide multiple types of input tocommunicate with the computing device 1300. The communications interface1340 can generally govern and manage the user input and system output.There is no restriction on operating on any particular hardwarearrangement and therefore the basic features here may easily besubstituted for improved hardware or firmware arrangements as they aredeveloped.

Storage device 1330 is a non-volatile memory and can be a hard disk orother types of computer readable media which can store data that areaccessible by a computer, such as magnetic cassettes, flash memorycards, solid state memory devices, digital versatile disks, cartridges,random access memories (RAMs) 1325, read only memory (ROM) 1320, andhybrids thereof.

The storage device 1330 can include software modules 1332, 1334, 1336for controlling the processor 1310. Other hardware or software modulesare contemplated. The storage device 1330 can be connected to the systembus 1305. In one aspect, a hardware module that performs a particularfunction can include the software component stored in acomputer-readable medium in connection with the necessary hardwarecomponents, such as the processor 1310, bus 1305, display 1335, and soforth, to carry out the function.

FIG. 13B illustrates a computer system 1350 having a chipsetarchitecture that can be used in executing the described method andgenerating and displaying a graphical user interface (GUI). Computersystem 1350 is an example of computer hardware, software, and firmwarethat can be used to implement the disclosed technology. System 1350 caninclude a processor 1355, representative of any number of physicallyand/or logically distinct resources capable of executing software,firmware, and hardware configured to perform identified computations.Processor 1355 can communicate with a chipset 1360 that can controlinput to and output from processor 1355. In this example, chipset 1360outputs information to output 1365, such as a display, and can read andwrite information to storage device 1370, which can include magneticmedia, and solid state media, for example. Chipset 1360 can also readdata from and write data to RAM 1375. A bridge 1380 for interfacing witha variety of user interface components 1385 can be provided forinterfacing with chipset 1360. Such user interface components 1385 caninclude a keyboard, a microphone, touch detection and processingcircuitry, a pointing device, such as a mouse, and so on. In general,inputs to system 1350 can come from any of a variety of sources, machinegenerated and/or human generated.

Chipset 1360 can also interface with one or more communicationinterfaces 1390 that can have different physical interfaces. Suchcommunication interfaces can include interfaces for wired and wirelesslocal area networks, for broadband wireless networks, as well aspersonal area networks. Some applications of the methods for generating,displaying, and using the GUI disclosed herein can include receivingordered datasets over the physical interface or be generated by themachine itself by processor 1355 analyzing data stored in storage 1370or 1375. Further, the machine can receive inputs from a user via userinterface components 1385 and execute appropriate functions, such asbrowsing functions by interpreting these inputs using processor 1355.

It can be appreciated that exemplary systems 1300 and 1350 can have morethan one processor 1310 or be part of a group or cluster of computingdevices networked together to provide greater processing capability.

For clarity of explanation, in some instances the present technology maybe presented as including individual functional blocks includingfunctional blocks comprising devices, device components, steps orroutines in a method embodied in software, or combinations of hardwareand software.

In some embodiments the computer-readable storage devices, mediums, andmemories can include a cable or wireless signal containing a bit streamand the like. However, when mentioned, non-transitory computer-readablestorage media expressly exclude media such as energy, carrier signals,electromagnetic waves, and signals per se.

Methods according to the above-described examples can be implementedusing computer-executable instructions that are stored or otherwiseavailable from computer readable media. Such instructions can comprise,for example, instructions and data which cause or otherwise configure ageneral purpose computer, special purpose computer, or special purposeprocessing device to perform a certain function or group of functions.Portions of computer resources used can be accessible over a network.The computer executable instructions may be, for example, binaries,intermediate format instructions such as assembly language, firmware, orsource code. Examples of computer-readable media that may be used tostore instructions, information used, and/or information created duringmethods according to described examples include magnetic or opticaldisks, flash memory, USB devices provided with non-volatile memory,networked storage devices, and so on.

Devices implementing methods according to these disclosures can comprisehardware, firmware and/or software, and can take any of a variety ofform factors. Typical examples of such form factors include laptops,smart phones, small form factor personal computers, personal digitalassistants, and so on. Functionality described herein also can beembodied in peripherals or add-in cards. Such functionality can also beimplemented on a circuit board among different chips or differentprocesses executing in a single device, by way of further example.

The instructions, media for conveying such instructions, computingresources for executing them, and other structures for supporting suchcomputing resources are means for providing the functions described inthese disclosures.

Although a variety of examples and other information was used to explainaspects within the scope of the appended claims, no limitation of theclaims should be implied based on particular features or arrangements insuch examples, as one of ordinary skill would be able to use theseexamples to derive a wide variety of implementations. Further andalthough some subject matter may have been described in languagespecific to examples of structural features and/or method steps, it isto be understood that the subject matter defined in the appended claimsis not necessarily limited to these described features or acts. Forexample, such functionality can be distributed differently or performedin components other than those identified herein. Rather, the describedfeatures and steps are disclosed as examples of components of systemsand methods within the scope of the appended claims.

What is claimed is:
 1. A system comprising: a multi-user network-basedcontent item management environment storing content items addressable byglobally unique identifiers unique within the content item managementenvironment, wherein the globally unique identifiers are associated, inan identifier database, with the content item, a storage location, andan authorized user having access to the content item, wherein copies ofcontent items are maintained in at least one client device; a processor;and a computer-readable storage medium having stored thereinprocessor-executable instructions for causing the processor to: identifya communication between the content item management environment and aclient device, associated with a globally unique identifier for acontent item stored in at least one of the content item managementenvironment and the client device; prior to transmitting thecommunication, encrypting a portion of the communication containing theglobally unique identifier using an encryption key based on aclient-specific key and a secret version-specific key to yield anencrypted communication; and transmitting the encrypted communication tothe client device.
 2. The system of claim 1, wherein the encryption keyis generated by concatenating the client-specific key and the secretversion-specific key.
 3. The system of claim 1, wherein theclient-specific key is an identifier associated with a user accountthrough which the content item is accessed.
 4. The system of claim 1,wherein the encryption key is signed by appending a hash-based messageauthentication code.
 5. The system of claim 1, wherein encrypting aportion of the communication containing the globally unique identifierfurther comprises: analyzing the communication to detect a position ofthe globally unique identifier; and encrypting, at the position, theglobally unique identifier.
 6. The system of claim 1, wherein thecomputer readable storage medium further comprises processor-executableinstructions for causing the processor to: encrypt the globally uniqueidentifier prior to including the globally unique identifier in to thecommunication.
 7. The system of claim 1, wherein the computer readablestorage medium further comprises processor-executable instructions forcausing the processor to: determine that the communication is intendedfor a destination across a communication boundary.
 8. A methodcomprising: identifying, via a processor of a client device, acommunication between a content item management environment and theclient device, associated with a globally unique identifier for acontent item stored in at least one of the content item managementenvironment and the client device, wherein the content item managementenvironment is a a multi-user network-based content item managementenvironment storing content items addressable by globally uniqueidentifiers unique within the content item management environment,wherein the globally unique identifiers are associated, in an identifierdatabase, with the content item, a storage location, and an authorizeduser having access to the content item, wherein copies of content itemsare maintained in at least one client device; prior to transmitting thecommunication, encrypting a portion of the communication containing theglobally unique identifier using an encryption key based on aclient-specific key and a secret version-specific key to yield anencrypted communication; and transmitting the encrypted communication tothe content item management environment across a communication boundary.9. The method of claim 8, wherein the encryption key is generated byconcatenating the client-specific key and the secret version-specifickey.
 10. The method of claim 8, further comprising encrypting theportion of the communication based on a security threshold of at leastone of the communication and the communication boundary.
 11. The methodof claim 8, wherein the encryption key is signed by appending ahash-based message authentication code.
 12. The method of claim 8,wherein encrypting a portion of the communication containing theglobally unique identifier further comprises: analyzing thecommunication to detect a position of the globally unique identifier;and encrypting, at the position, the globally unique identifier.
 13. Themethod of claim 8 further comprising: encrypting the globally uniqueidentifier prior to including the globally unique identifier in to thecommunication.
 14. A non-transitory computer-readable storage mediumhaving stored therein instructions which, when executed by a processor,cause the processor to perform a method comprising: identifying, acommunication between a content item management environment and a clientdevice, associated with a globally unique identifier for a content itemstored in at least one of the content item management environment andthe client device, wherein the content item management environment is aa multi-user network-based content item management environment storingcontent items addressable by globally unique identifiers unique withinthe content item management environment, wherein the globally uniqueidentifiers are associated, in an identifier database, with the contentitem, a storage location, and an authorized user having access to thecontent item, wherein copies of content items are maintained in at leastone client device; determining decryption ability of a destinationdevice to which the communication is addressed; based on the decryptionability, encrypting at least a portion of the communication containingthe globally unique identifier using an encryption key based on aclient-specific key and a secret version-specific key to yield anencrypted communication; and transmitting the encrypted communication tothe destination device.
 15. The non-transitory computer-readable storagemedium of claim 16, wherein the encryption key is generated byconcatenating the client-specific key and the secret version-specifickey.
 16. The non-transitory computer-readable storage medium of claim16, wherein the client-specific key is an identifier associated with auser account through which the content item is accessed.
 17. Thenon-transitory computer-readable storage medium of claim 16, wherein theencryption key is signed by appending a hash-based messageauthentication code.
 18. The non-transitory computer-readable storagemedium of claim 16, wherein encrypting the portion of the communicationcontaining the globally unique identifier further comprises: analyzingthe communication to detect a position of the globally uniqueidentifier; and encrypting, at the position, the globally uniqueidentifier.